The proposals form part of the government's plans for implementing the EU's Network and Information Systems (NIS) Directive, which is due to come into force in May 2018. Fines of up to £17m or 4% of an organisation's global turnover, whichever is higher, could be imposed for loss of service if the operator has not taken steps to guard against the risk of cyber attacks, power failures, environmental hazards and other threats affecting IT, according to a consultation, which closes on 30 September 2017.
"We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards," said digital minister Matt Hancock.
The measures, once implemented, will form part of the government's five year £1.9 billion National Cyber Security Strategy. They will also compliment the UK's implementation of the EU's General Data Protection Regulation, which will introduce similar penalties for the most serious data breaches.
Cyber security expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that the level of fines proposed "reflected the importance of protecting the essential and digital services which underpin our economy and connected world today".
"The level of fines also signifies a change in approach: the potential sanction will operate to force providers to comply and design cyber resilience etc. into their systems and services," he said.
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such 'essential services', as defined by individual member states. Slightly different rules will also apply to 'digital service providers'. EU countries have until 9 May 2018 to implement the directive into national laws.
The UK intends to implement the NIS Directive notwithstanding its exit from the EU, and for the legislation to continue to apply following Brexit. The government "supports the overall aim of the NIS Directive and believes that strengthening the security of network and information systems supporting the UK's essential service and digital service providers is consistent with the government's aim to ensure the UK is secure and resilient to cyber threats, prosperous and confident in the digital world", according to its consultation.
Once the new rules are in force, affected organisations will be legally required to ensure that they are taking the necessary action to protect their IT systems. The measures proposed by the government are in line with existing cyber security standards, and organisations that take cyber security seriously should already have similar measures in place, according to the government.
Operators will be required to develop a risk management strategy and policy, to raise staff awareness and training, to report incidents as soon as they happen and to have systems in place to ensure that they can restore systems and respond quickly after an incident. They will be required to implement security measures to prevent attacks or system failures, including measures to detect attacks and to develop security monitoring procedures.
The consultation proposes two penalty "bands" for breaches, in line with EU requirements that penalties should be "effective, proportionate and dissuasive". Band one, set at a maximum of €10m or 2% of global turnover, will apply for lesser offences, such as failure to cooperate with the competent authority or failure to report a reportable incident. Band two, set at a maximum of €20m or 4% of global turnover, will apply to more serious offences, including failure to implement appropriate and proportionate security measures. Fines will be issued as a last resort, and would not apply to operators that had put the required safeguards in place but still suffered an attack.
The government is proposing "thresholds" for each of the essential services to which the new rules will apply, which are designed in such a way as to "capture only the most important operators, rather than the whole sector". Affected services include the supply of potable water to households; the supply of electricity to consumers; electricity transmission and distribution; oil production, refining, treatment and storage; gas transmission and supply; health care; and air, maritime, rail and road transport, among others.
The consultation also proposes definitions for the three main types of digital service provider that will be caught by the new requirements: online marketplaces; online search engines; and cloud computing services. The NIS Directive applies in a lighter touch manner to digital service providers that meet the threshold requirements set out in the directive.